9 GDPR Basics You Need to Know

The whole point of GDPR is to give people, like you and me, more control over our data. GDPR applies to everyone, not the select few. It is applicable to any data that can be used to identify an individual. This ranges from genetic data to social data.

It doesn’t apply to my small business, there are less than 10 staff members …

Incorrect. The size of your business does not matter, but what does matter is how your data is handled. Many organisations will need to appoint a Data Protection Officer (DPO) to ensure that data handling and processes conform to the law.

As well as this, data controllers will need to carry out mandatory Privacy Impact Assessments (PIAs) where chance of security breaches are high. This will minimise risks to data subjects – much like a risk assessment.

Here are 9 basic points about GDPR that you need to know.

The right to data correction

Also known as the right to rectification. This part of GDPR gives people a chance to change any information an organisation may hold about them. This must be done without undue delay.

Stricter Consent

A person must be CLEARLY informed and consulted of any processing of their data and how it is being used. They must also positively opt in to ensure that they are aware of signing up. Default consent or pre-ticked boxes are not classed as consent.

If a person has gone silent or inactive for a long period of time, they will need to opt-in again. In terms of records, evidence of consent such as who, when, how and information given to data subject, must be recorded.

Right to erasure

Formerly known as right to be forgotten. If a person wishes to be removed from a database, all information/ data linked to them must be erased. This has to be done without undue delay (up to 1 month). This includes notification to any third party who may also withhold said data. The right to erasure only applies in certain circumstances.

Risk notification

A person must be informed of any data endangerment that is linked to their information. They must also be kept up to date on what is happening along the course of the data handling process.

Organisations will also need to notify a Data Protection authority of any possible breaches within 72 hours of discovery. Technology will need to be in place so that these problems can be detected as soon as it happens.

Default privacy

Data can only be handled and processed according to the terms agreed between both parties, unless agreed otherwise. According to the ICO, ‘you have a general obligation to implement technical and organisational measures. This will show that you have considered and integrated data protection into your processing activities.’ This means that software will need to be built with GDPR in mind, which could be a difficult task for developers.

Violation of terms

Controllers and processors can both be held responsible for negligence of data security or non-compliance. Also, separate from fines and penalties from these violations, data subjects will be given the right to claim compensation for any damage suffered as a result of violation of terms.

Non-compliance

Complying with GDPR is not something you can pick and choose… the consequences are serious and severe. All penalties are effective, proportionate and dissuasive. They can amount to up to 4% of total annual turnover, or up to 20M euros – whichever is greater.

Data flow

All data processes and actions must be visible and traceable. Data mapping is the process of identifying and understanding the data flows within an organisation. This is essential as it is a way in which organisations can assess their privacy risks. It is also an essential step for completing a data protection impact assessment (DPIA). DPIAs are mandatory for certain types of processing.

Complete security

There cannot be any gaps in security from the moment data is given, to the moment ‘right to be forgotten’ is requested.

If you are wondering how you are going to ensure that you are GDPR compliant, or don’t know where to start when it comes to data checks, contact us.